Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is probably a combination of “malicious” and “software”, and describes the intent of the creator, rather than any particular features. The term malware normally encompasses computer viruses, Trojan horses, spyware and adware.
Many early infectious programs, including the Internet Worm and a number of viruses, were written as experiments or pranks. That is, they were intended to be annoying rather than to cause serious damage. For example, programmers might write an infectious program just to prove that they can do it, or to see how far the infectious program could spread.
A slightly more hostile intent can be found in programs designed to vandalize or cause data loss. For example, some viruses are designed to destroy files or corrupt a file system by writing junk data. Other viruses include network-borne worms designed to vandalize Web pages. In other cases, revenge is the motivator for writing malicious software. For example, a programmer about to be fired from a job will generate a virus to damage the former employer's systems or destroy the programmer's own earlier work.
Moreover, a large portion of malicious software is focused strictly on a profit motive. For example, a majority of viruses and worms have been designed to take control of users' computers. Infected computers are “hijacked” and are remotely used to send email spam, host contraband data or engage in distributed denial-of-service attacks as a form of extortion.
Another strictly for-profit category of malware has emerged in spyware. That is, programs designed to monitor users' Internet browsing. In some cases, the spyware displays unsolicited advertisements which provide marketing revenues to the spyware creator.
Presently, stealth malware will try to hide itself on the computing system such that user's cannot see it. Thus, the user will not recognize the malware infection and as such, will not know that the computing system is infected until it is too late. That is, after the malware has performed its malicious purpose. In one case, the malware will hook the application programming interface (API) to present a view of the filesystem, registry, and the like that doesn't show or contain the resources of the malware.
Current methods for detecting stealth malware include checking or detecting patching of either data-structures or code. However, the malware can easily change the patch points to bypass these checks. Moreover, the checking and detecting techniques likely requires loading kernel mode drivers which is difficult and time consuming.
Therefore, what is needed is a method for using asynchronous changes to memory to detect malware.